[Unbound-users] Insisting on DNSSEC
lists at peter.de.com
Mon Jan 13 16:09:12 CET 2014
On Sun, Jan 12, 2014 at 11:03:47AM +0100, Rick van Rein wrote:
> > If an application wants to insist on DNSSEC, they simple need to query
> > and check for the AD bit being set. It's not up to the resolver to
> > set application policy.
> Two reasons make this technically correct, but untractable:
> 1. The person wanting to enforce this policy may be a sysadmin, rather than a developer. He’d end up doing nasty things with firewalls and experience delay times.
> 2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.
Why does this scare you? If you don't trust the AD bit from your
DNSSEC validating resolver - why trust the response at all?
Perhaps DNS is not the right thing for your application.
> So I, ehm, insist, that this is a useful feature to add to Unbound ;-)
Unbound has been released unter the BSD license which means you are
free to svn checkout the sources and hack, hack, hack.
Oliver PETER oliver at gfuzz.de 0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: Digital signature
More information about the Unbound-users